Comment on Wireguard easy and third party von service.
LetchLemon@lemmy.blahaj.zone 2 days ago
Here is the compose and post up im working on
services: gluetun: image: qmcgaw/gluetun:v3 hostname: gluetun restart: always networks: wg: ipv4_address: 192.168.1.10 ports: - 51720:51720/udp # wireguard ui - 51821:51821 # wireguard tunnel cap_add: - NET_ADMIN devices: - /dev/net/tun:/dev/net/tun environment: - VPN_SERVICE_PROVIDER=${VPN_SERVICE_PROVIDER} - VPN_TYPE=${VPN_TYPE} - WIREGUARD_PRIVATE_KEY=${PRIVATE_KEY} - WIREGUARD_ADDRESSES=${WIREGUARD_ADDRESSES} - SERVER_CITIES=${SERVER_CITIES} - ALLOWED_IPS=0.0.0.0/1 - FIREWALL_OUTBOUND_SUBNETS=${OUTBOUND_SUBNET}$ #change to appropriate subnet - DNS_ADDRESS=${DNS} # - HEALTH_TARGET_ADDRESS=cloudflare.com:80 # - HEALTH_VPN_DURATION_INITIAL=120s wg-easy: environment: - INSECURE=true #INITIAL SETUP NOT FOR PRODUCTION image: ghcr.io/wg-easy/wg-easy:15 container_name: wg-easy restart: unless-stopped networks: wg: ipv4_address: 192.168.1.20 volumes: - ./data:/etc/wireguard - /lib/modules:/lib/modules:ro ports: - 51720:51720/udp #wireguard - 51821:51821/tcp #web ui cap_add: - NET_ADMIN - SYS_MODULE sysctls: - net.ipv4.ip_forward=1 - net.ipv4.conf.all.src_valid_mark=1 - net.ipv6.conf.all.disable_ipv6=0 - net.ipv6.conf.all.forwarding=1 - net.ipv6.conf.default.forwarding=1 networks: vpn: driver: bridge enable_ipv6: false ipam: driver: default config: - subnet: 192.168.1.0/24 #container ipgateway # - subnet: fdcc:ad94:bacf:61a3::/64
Post up
# Detect the VPN bridge interface by wg-easy's container IP VPN=$(ip -o -4 addr show | awk '$4 ~ /^[[ wg_easy_ip_esc ]]\// {print $2; exit}'); test -n "$VPN"; iptables -P FORWARD DROP; ip6tables -P FORWARD DROP; iptables [[ ipt ]] INPUT -p udp -m udp --dport {{port}} -j ACCEPT; ip6tables [[ ipt ]] INPUT -p udp -m udp --dport {{port}} -j ACCEPT; # Direct subnets: ip route -A 10.1.0.0/16 via 192.168.1.0/24 dev $VPN table 200; ip -6 route -A 10.1.0.0/16 via 192.168.1.0/24 dev $VPN table 200;